Early Detection Feeds

Level-Up Your Security Stack with Enriched Threat Data

Monitor your cyber ecosystem

Our platform includes a comprehensive array of early detection feeds, which actively monitor domains, IPs, and URLs associated with various licensed and open-source frameworks, including C2 infrastructure.

Ingest threat-specific early detection data

Stay ahead of emerging threats and gain real-time insight into malicious campaigns targeting your organization.

Enrich alerts with risk and reputation scores

Provide context and prioritization to security alerts, enabling your team to focus on the most critical and potentially harmful incidents.

Map out active C2 servers

Monitor command and control servers in real-time, across a range of attack vectors.

Leverage a vast array of endpoints

Access a wide range of data sources and scoring systems to help you assess the trustworthiness and potential risks associated with various digital entities and online activities, including IP, domain, ASN and URL scoring.

Integrate With The World’s Leading First-Party DNS Threat Database

Use the Silent Push API to feed enriched data into your security infrastructure, allowing you to detect and respond to potential threats faster and more efficiently.

Curated Threat Feeds

Our feeds reflect an ongoing commitment to bolstering cyber defenses across the global security community. Real-time IOFA updates  provide your security teams with up-to-date insights that safeguard your digital infrastructure.

1877 Team Domains and IPs

The 1877 Team is a Kurdish hacktivist group founded in July 2021 and has claimed responsibility for large doxing campaigns, massive website defacements, DDoS attacks, and the compromise of servers and databases from governments, universities, telecommunication, defense, and IT corporations. The hacker’s primary targets lie in the Middle East, but African, Asian, and Western organizations have also been affected. The 1877 Team’s self-proclaimed goals include pressuring governments, spreading public dissent, and establishing a reputation within the cybercriminal space. Two feeds.


Domains related to ACTINIUM, a Russian threat group which has been operational for almost a decade and has consistently launched attacks against organizations in Ukraine, or entities related to Ukrainian affairs.

Android Malware Domains and IPs

Domains and IPs associated with c2 infrastructure and admin panels of popular trojans associated with Android OS. Two feeds.

APT28 Domains and IPs

Domains and IPs utilized by APT 28 (also known as Fancy Bear), a Russian-based threat actor active since 2008. APT 28 has reportedly attacked infrastructures in the defense, energy, government, media, and aerospace sectors, particularly through the use of phishing campaigns and credential harvesting. Two feeds.

APT36 Domains & IPs

Domains and IPs associated with APT36 (also known as Earth Karkaddan), a Pakistani-based threat group known for targeting government and diplomatic organizations through cyber espionage, phishing, remote access trojans and social engineering. Two feeds.

Assorted Threats Domains and IPs

Various domains and IPs identified on malicious infrastructures seen across the world. The indicators on this feed include domains used for exploits, malware distribution, phishing attacks, command and control domains, botnets, personal data sales and ‘black’ business forums.

Banking Malware Domains and IPs

Domains involved in deploying banking malware, such as IcedID, URSNIF, and Zusy, among others. Two feeds.

Bazarcall Domains and IPs

Covers domains and IP addresses for Bazarcall Scam which works as a callback fraud initiated through phishing emails and potential victims are redirected to fake support pages to connect with modified versions of remote desktop tools to control their systems. Silent Push worked with CISA to protect users as some of the federal employees became victims of the campaign as well. Two feeds.

CISA advisory can be seen here: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a

BlueNoroff Domains and IPs

Domains and IPs associated with BlueNoroff, a threat actor linked to the North Korean Lazarus group. The attacks from this group are financially motivated, targeting ATMs, banks, fintech, and cryptocurrency platforms. Two feeds.

BulletProof Hosting Domains and IPs

Domains detected in several bulletproof hosting infrastructures such as Yalishanda, Eliteteam or DDoS-Guard, among others. Two feeds.

Cobalt Strike C2 Active Domains and IPs

Domains and IPs with live Cobalt Strike beacons. Two feeds.

Covenant C2 Domains and IPs

Domains and IP addresses that are linked to Covenant – a .NET command and control framework.

GitHub – cobbr/Covenant: Covenant is a collaborative .NET C2 framework for red teamers.

Empire C2 IPs

IP addresses that are linked to Empire 4 – a post-exploitation framework that includes a pure-PowerShell Windows agents, Python 3.x Linux/OS X agents, and C# agents.

GitHub – BC-SECURITY/Empire: Empire is a post-exploitation and adversary emulation framework that is used to aid Red Teams and Penetration Testers.

Fake Trading Apps Domains and IPs

Domains used to propagate several scams impersonating online trading services. Two feeds.

Fastflux Domains

Domains hosted on ‘fast flux’ infrastructure – an IP-swapping technique allows threat actors to hide their malicious activities from blocklists and takedowns.

Havoc Framework IPs

Havoc open-source command and control (C2) framework known as an alternative to paid options such as Cobalt Strike and Brute Ratel. This feed collects c2 servers exposed externally using the post exploitation tool.

Infostealers Domains and IPs

Domains associated with information-stealing malware – designed to harvest personal information such as cookie data, user names, and passwords. Info stealers have gained popularity among cybercriminals due to their cheap cost and availability in malware-as-a-service products. Two feeds.

Kimsuky Domains and IPs

Kimsuky is a North Korean APT group operating since 2012, targeting organizations in South Korea, US and Japan. Tracks domains and IPs associated with the c2 infrastructure operated by the group. Two feeds.

Malicious Nameservers Domains

Domains with NS records pointing at suspicious name servers – including phishing activities, C2 operations and botnets.

Malvertising Domains and IPs

Domains linked to SEO poisoning/malvertising campaigns used to propagate malware spoofing brands such as AnyDesk, Remote Desktop, OBS, TeamViewer, MSI Afterburner, Blender, Open office, Audacity, Slack, and Brave Browser.

Metasploit Pro Server IPs

A list of server IPs that are active within the Metasploit network – the world’s most popular penetration testing framework.

GitHub – rapid7/metasploit-framework: Metasploit Framework

Mythic C2 Domains and IPs

A feed containing domains and IPs that are active on the Mythic network – a cross-platform, post-exploit, red teaming framework used by legitimate organizations and threat actors alike.

GitHub – its-a-feature/Mythic: A collaborative, multi-platform, red teaming framework.

Phishing Domains and IPs

Phishing domains gathered from several campaigns across the Internet.

Posh C2 IPs

IP addresses visible within the PoshC2 framework – proxy-aware C2 infrastructure used to aid penetration testers with red teaming, post-exploitation and lateral movement.

GitHub – nettitude/PoshC2: A proxy aware C2 framework used to aid red teamers with post-exploitation and lateral movement.

Silicon Valley Bank Suspect Domains

This feed contains all recently registered domains relating to Silicon Valley Bank. Note that not all domains listed here will be malicious. We expect an increase in malicious campaigns in the upcoming weeks, so we’ll closely monitor these assets and mark serious threats when they appear.

Suspected Deimos C2 Domains and IPs

Domains and IPs suspected to be active on the Deimos C2 platform – a post-exploitation, open-source Command & Control (C2) tool that replicates much of the functionality of Cobalt Strike and Deimos.

GitHub – DeimosC2/DeimosC2: DeimosC2 is a Golang command and control framework for post-exploitation.

Suspected Evilginx2 Domains and IPs

Evilginx2 is a man-in-the-middle attack framework used for phishing login credentials, along with session cookies, which allows threat actors to bypass 2FA. Two feeds.

Suspected Merlin C2 Domains and IPs

Trojan Downloaders Domains and IPs

Domains associated with trojans that download and execute malware on compromised systems. Two feeds.

Underground Threats Domains and IPs

Credit card sale domains, black business forums and sites hosting information about the sale of personal data, social media accounts, passwords, financial accounts and crypto wallets. Two feeds.

Web Skimmer Domains

Web skimming, also known as digital skimming, is a hacking technique that targets digital businesses by manipulating unmonitored and compromised client-side web applications. Usually, these attacks are initiated by placing malicious JavaScript (JS) code strategically on payment and checkout pages of the website where unsuspecting users fill in their personal and financial details. Although commonly found on eCommerce websites, banking, finance, healthcare, tourism, and other eService platforms are also being targeted. This feed consists of domains used in these campaigns.

Worst AS Takedown Score IPs

IP addresses from ASNs with the worst Silent Push takedown score.

Worst Subnet Score IPs

IP addresses from subnets with the worst Silent Push risk score.

Learn more about our early detection feeds

See how our platform provides real-time insights that protects organizations
from all manner of DNS-based attack vectors.